to_google_secops
Sends unstructured events to a Google SecOps Chronicle instance.
to_google_secops customer_id=string, private_key=string, client_email=string,
log_type=string, log_text=string, [region=string,
timestamp=time, labels=record, namespace=string,
max_request_size=int, batch_timeout=duration]
Description
The to_google_secops
operator makes it possible to ingest events via the
Google SecOps Chronicle unstructured logs ingestion
API.
customer_id = string
The customer UUID to use.
private_key = string
The private key to use for authentication. This corresponds to the private_key
in the SecOps collector config.
client_email = string
The user email to use for authentication. This corresponds to the client_email
in the SecOps collector config.
log_type = string
The log type of the events.
log_text = string
The log text to send.
region = string (optional)
Regional
prefix
for the Ingestion endpoint (malachiteingestion-pa.googleapis.com
).
timestamp = time (optional)
Optional timestamp field to attach to logs.
labels = record (optional)
A record of labels to attach to the logs. For example, {node: "Configured
Tenzir Node"}
.
namespace = string (optional)
The namespace to use when ingesting.
Defaults to tenzir
.
max_request_size = int (optional)
The maximum number of bytes in the request payload.
Defaults to 1M
.
batch_timeout = duration (optional)
The maximum duration to wait for new events before sending the request.
Defaults to 5s
.
Examples
from {log: "31-Mar-2025 01:35:02.187 client 0.0.0.0#4238: query: tenzir.com IN A + (255.255.255.255)"}
to_google_secops \
customer_id="00000000-0000-0000-00000000000000000",
private_key=secret("my_secops_key"),
client_email="somebody@example.com",
log_text=log,
log_type="BIND_DNS",
region="europe"